Watch Tower functionality

In Watch Tower, I'm getting a message as below for couple of logins.

Vulnerable Password
The password has been compromised in a data breach according to Please change your password

I don't understand this and have concerns over this warning.
There are some websites that only allow us to maintain only numeric passwords. Even if I change the password to some random number, this message is not vanished.

What does it mean? My whole login is compromised or should I disregard?
Any documentation regarding this functionality would be helpful.

If this is a wrong message, I hope 1Password developers trigger only genuine warnings.

1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Referrer: forum-search:email address


  • @harish_ravikumar

    Even if I change the password to some random number, this message is not vanished.

    Because the potential variations of numeric-only passwords is very limited.

    For security 1Password does not send the complete 1Password to "haveibeenpwned".

    What does it mean? My whole login is compromised or should I disregard?

    It means the password is compromised. If hackers steal that website's password file they'll have a good chance at breaking into your login.

    If this is a wrong message, I hope 1Password developers trigger only genuine warnings.

    It's a genuine warning.

    Complain to the websites in question that they're compromising your security by not allowing strong passwords.

  • bundtkatebundtkate

    Team Member

    To elaborate on @gazu's excellent advice above, @harish_ravikumar, what this ultimately means is that at some point in time, this particular password has been found as part of a data breach. It doesn't mean your account has been compromised, just that the password is out there in the world which necessarily makes it more vulnerable. As gazu said, there are only so many numeric combinations out there, so statistically, most of them probably are vulnerable and there's not going to be anything you can do about that. That stinks for sure, and the real root problem isn't you – it's those sites that think numeric passwords are a good idea – but sometimes that's the world we live in and we've just gotta cope until they figure things out.

    With that said, I have a few items like this myself and I actually like that they're flagged. It reminds me that this is an account I need to pay special attention to because it is more vulnerable to being broken into. When I do my rounds to deal with any new Watchtower warnings, I also check my account activity on sites where I'm not able to secure that password. That way, I am keeping a constant eye out for anything suspicious and can react quickly if something is amiss.

    Finally, if you'd like to learn more about the Watchtower warnings, we cover them all here:

  • Hello @bundtkate @gazu Many thanks for your feedback.

    Though I tend to agree that the sites should enforce strong passwords, it might not be necessary for every case.
    For example, most of the banks' login only allows numeric password, a person that cracks can do no further (brute-force will lock the account apparently after few failed tries) and all them enforce second authentication for any transactions.

    This two level security maybe sufficient for people like me. I don't think any bank will pay heed to anyone's request to enforce strong passwords.

    What I'd expect from Watch Tower is the possibility to disregard these cases (instead of being flagged), so it won't be considered in the analysis. I don't want my account to be unnecessarily flagged when I know it is already safe.


  • GregGreg

    Team Member


    This is a tricky feature to add, as we don't want to encourage having weak passwords everywhere and then dismissing Watchtower warnings. We will pass your suggestions to our team and we will have further discussion. Thank you again! :+1:


  • edited June 2019

    Hi @Greg
    Thanks for your response.
    My request for Watch Tower is not to automatically disregard these sites. It can continue to flag as compromised. But I can choose to disregard this site from being flagged manually. This is not possible today.
    I've seen a similar functionality in other password manager which I have used in the past.

  • bundtkatebundtkate

    Team Member

    The concern is the same, @harish_ravikumar – making it too easy to dismiss these warnings can encourage them being ignored, even when folks are able to act on the warnings. That said, we're fully conscious of the fact that there are cases where you cannot do anything to correct a vulnerable password, and are certainly open to options to tidy things up in such cases.

    Also, although this is definitely a matter of opinion, I would argue that banks absolutely will listen to requests from their customers to allow stronger passwords. This may well vary from country to country, but here in the U.S., we have myriad options for banking that allow us greater password freedom and if customers take their business elsewhere as a result of poor security choices by a bank they will take that into account. It may not immediately translate into change and there may not be enough who care just yet to have any meaningful impact on their business, but we need to start somewhere and there's value in having your voice heard. With strong 2FA, you may correct that the danger of using a weak password is lessened, but some forms of 2FA (like SMS) aren't as great an extra layer as many think. They're better than nothing by far, but SIM swapping – an attack where someone asks your carrier for a new SIM card to be attached to your phone number – is becoming increasingly common. We humans are often the weak link in any system and, unfortunately, bad actors have been able to exploit humans at cell carriers to essentially bypass the protections 2FA provides. This isn't to say 2FA is bad – it's good and you should use it – but I would still say a strong password is an important component for any account, where possible. It's one of the two factors, after all, and you're always better off if both are strong.

    Of course, we're all going to make our decisions based upon our own threat model, and I'm certainly not going to expect everyone's to be the same as my own. There are folks who are going to be less paranoid than I and those that will take my paranoia to another level entirely and that's fine. But my advice (and 1Password's generally) is always going to be to use a different strong password for each site that hasn't been compromised in the past, with 2FA where available. Doing so will ensure your account is as safe as it can be under all circumstances. :+1:

This discussion has been closed.